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Abstract — In this paper, we introduce an efficient and trust- 
worthy conditional privacy-preserving communication protocol 
for VANETs based on proxy re-signature. The proposed protocol 
is characterized by the Trusted Authority (TA) designating the 
Roadside Units (RSUs) to translate signatures computed by the 
On-Board Units (OBUs) into one that are valid with respect 
to TA's public key. In addition, the proposed protocol offers 
both a priori and a posteriori countermeasures: it can not only 
provide fast anonymous authentication and privacy tracking, but 
guarantees message trustworthiness for vehicle-to-vehicle (V2V) 
communications. Furthermore, it reduces the communication 
overhead and offers fast message authentication and, low storage 
requirements. We use extensive analysis to demonstrate the 
merits of the proposed protocol and to contrast it with previously 
proposed solutions. 

I. Introduction 

Vehicular ad hoc networks (VANETs) are very likely to 
become the most pervasive and applicable of mobile ad hoc 
networks (MANETs) in this decade. Different from the tradi- 
tional MANETs, VANET contains not only mobile vehicles, 
but also stationary roadside infrastructures. Equipped with 
communication devices, vehicles can communicate with each 
other or with the roadside units (RSUs) located at critical 
points of the road, such as intersections or construction sites. 
Different from vehicles, RSUs usually have no buffer con- 
straint and can store a lot of information. According to the 
Dedicated Short Range Communications (DSRC) [1], each 
vehicle equipped with OBU will broadcast routine traffic 
messages, such as the position, current time, direction, speed, 
acceleration/deceleration, and traffic events, etc. In this way, 
drivers can get better awareness of the driving environment 
and take early actions to the abnormal situation to improve 
the safety of both vehicle drivers and passengers [2]. However, 
before the above attractive applications come into reality, the 
security and privacy issues should be addressed. Otherwise, 
a VANET could be subject to many security threats, which 
will lead to increasing malicious attacks and service abuses. 
More precisely, an adversary can either forge bogus messages 
to mislead other drivers or track the locations of the intended 
vehicles. Therefore, how to secure vehicle-to-vehicle commu- 
nication in VANETs has been well-studied in recent years [3]- 
[21]. 



Dealing with fraudulent messages in VANETs is a thorny 
issue due to its inherent self-organization. The situation is 
further deteriorated by the privacy requirements, i.e., the 
malicious vehicles are anonymous and cannot be identified in 
case of dispute. Countermeasures against fraudulent messages 
fall into two classes: a posteriori and a priori. 

With a posteriori countermeasure, a trusted authority can 
disclose the real identity of targeted OBU in case of a traffic 
event dispute, even though the OBU itself is not traceable 
by the public. In this way, punishment will be taken against 
vehicles who have been proven to have originated fraudu- 
lent messages (e.g., the violators will be excluded from the 
network). The existing posteriori solutions for VANETs can 
mainly be categorized into following classes. The first one is 
based on a large number of anonymous keys (denoted as LAB 
in the rest of this paper) [3], [4], the second one is based on 
a pure group-oriented signature, such as group signature and 
ring signature (denoted as GSB in the following) [5], [6], [8], 
while the last one employs the roadside units (RSUs) to assist 
the vehicle in authenticating messages (denoted as RSUB in 
the following) [10]— [12]. Though all of these solutions can 
meet the conditional privacy requirement, they are in vain 
against irrational attackers such as terrorists. Even for rational 
attackers, damage has already occurred when punitive action 
is taken. 

A priori countermeasure attempts to prevent the generation 
of fraudulent messages. In this approach, a message is not 
considered valid unless it has been endorsed by a number of 
vehicles above a certain threshold. This approach is based on 
the assumption that most users are honest, and therefore, they 
will not endorse any message containing false data. To achieve 
this, messages received must be distinguishable. The use of an 
honest majority to prevent generation of fraudulent messages 
has previously been proposed in [15]— [17]. However, although 
the underlying assumption that there is a majority of honest 
vehicles in VANETs generally holds, it cannot be excluded 
that a number of malicious vehicles greater than or equal to 
the threshold are present in specific locations. Furthermore, for 
convenience in implementation, most of schemes assume that 
the threshold, i.e., the number of honest vehicles in all cases, 
should be treated as a one-size-fits-all concept. However, we 



argue that threshold is a scenario-specific concept in the sense 
that different scenario may have varying threshold require- 
ments. Indeed, the threshold should be adaptive according to 
the traffic density and the message scope: A low density of 
vehicles calls for a lower threshold, whereas a high density 
and a message relevant to all of the traffic in a city require a 
sufficiently high threshold. 

To address these issues, this paper proposes an efficient and 
trustworthy conditional privacy preserving authentication pro- 
tocol for vehicle-to-vehicle communication based on proxy re- 
signature [22]. Compared to previous message-authentication 
schemes [3]— [21], our scheme (which we dub PRSB) has the 
following unparalleled features that, we believe, make it an 
excellent candidate for the future VANETs: 

• Achieving both priori and posteriori countermeasures: 
Using the proxy re-signature to secure the vehicle-to- 
vehicle communication, the RSUs can be allowed to 
transform an OBU's signature into a TA's signature on 
the same message. This conceals the unique identity of 
the OBU to prevent information leakage to the malicious 
adversary, while still allowing for internal auditing by the 
RSUs. Furthermore, the RSUs can distinguish by itself 
whether the message was signed by the same cheating 
vehicle multiple times or by multiple honest vehicles. By 
this way, our scheme enables the RSUs only transform 
the messages endorsed by a number of vehicles greater 
than or equal to a threshold, and the vehicles endorsing 
cheating messages can later be traced. We also note that 
a recent proposal in [17] also achieves both priori and 
posteriori countermeasures by drawing on the linkable 
group signature. 

• Efficiency: Different from GSB protocols [5], [6], [17], 
the proposed protocol can efficiently deal with a growing 
revocation list and does not rely on updating the group 
public key and private key at all unrevoked vehicles. 
Furthermore, our protocol does not rely on a large 
storage space at each vehicle. Clearly, since the OBU 
only need to generate the general signature instead of 
the anonymous signature, the OBU communication and 
computation overhead will be reduced at a fairly large 
scale. 

• Threshold-adaptivity: The threshold in our proposal can 
be adaptive according to the traffic context, unlike most 
previous schemes in which the threshold has to be preset 
during the stage of system initialization. This feature 
enables our proposal to be deployed in complicated traffic 
scenarios. 

The remainder of this paper is organized as follows. Sec- 
tion II presents background information related to vehicular 
network design and operation and surveys additional related 
work. Section III presents the problem formulation, system 
architecture, and design objectives as well as the key crypto- 
graphic techniques our solution is based on: bilinear maps and 
proxy re-signatures. Section IV details the proposed security 
protocol, followed by the security analysis and the perfor- 
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Fig. 1. Network Model 



mance analysis in Section V and Section VI, respectively. 
Section VII concludes this paper. 

II. Background and Related Work 

A. System Model 

Similar to previous work [10]— [13], the considered system 
includes three types of entities: the top Trusted authority (TA), 
the immobile RSUs at the roadside, and the moving vehicles 
equipped with on-board units (OBUs). 

• OBU: A vehicle needs to be registered to the TA with 
its public system parameters and corresponding private 
key before it joins the VANET. The secret information 
such as private keys to be used generates the need for a 
tamper-proof device in each vehicle. Similar to previous 
work we assume that access to this tamper-proof device 
is restricted to authorized parties. OBUs are mobile and 
moving most of the time. When the OBUs are on the road, 
they regularly broadcast routine safety messages, such as 
position, current time, direction, speed, traffic conditions, 
traffic events. The information system on each vehicle 
aggregates and processes these messages to enable drivers 
form a better awareness of their environment (Fig. 1). 
The population of OBUs in the system could be up to 
billions (as, today, there are about a quarter of billion 
light vehicles in the US only). 

• RSU: The RSUs are subordinated by the TA, which hold 
storage units for storing information coming from the TA 
and the OBUs. The main tasks of RSUs are (1) translating 
a OBU's signature under the TA's public key on the same 
message, and (2) assisting the TA to efficiently track the 
real OBU identity of any safety message. Without the 
authorization of the TA, the RSUs will not disclose any 
inner information. We remark that each RSU is physically 
secure and cannot be compromised. Meanwhile, RSUs 
cannot generate signatures on behalf of either the OBU 
or the TA. Different from the vehicles, we assume that 
RSUs have neither computation and energy constraints 
nor buffer size constraints. Due to the fact that there is no 



computation and storage constraints at RSUs, RSUs can 
be able to serve as the proxy to translate the signatures 
from OBUs. 

• TA: The TA is in charge of the registration of all RSUs 
and OBUs each vehicle is equipped with. The TA can 
reveal the real identity of a safety message sender by 
incorporating with its subordinate RSUs. To the end, the 
TA requires ample computation and storage capability, 
and the TA cannot be compromised and is fully trusted 
by all parties in the system. 

The network dynamics are characterized by quasi- 
permanent mobility, high speed, and (in most cases) short 
connection times between neighboring vehicles or between a 
vehicle and a roadside infrastructure network access point. The 
assumed communication protocol between neighboring OBUs 
or between an OBU and a RSU is 5.9 GHz Dedicated Short 
Range Communication (DSRC) [1] IEEE 802.1 lp. 

B. Related Work 

To achieve both message authentication and conditional 
anonymity, Raya et al. [3], [4] introduced the LAB protocol. 
Their key idea is to install on each OBU a large number of 
private keys and their corresponding anonymous certificates. 
To sign each launched message, a vehicle randomly selects 
one of its anonymous certificates and uses its corresponding 
private key. The other vehicles use the public key of the 
sender enclosed with the anonymous certificate to authenticate 
the source of the message. These anonymous certificates are 
generated by employing the pseudo-identities of the vehicles, 
instead of taking any real identity information of the drivers. 
Each certificate has a short life time to meet the drivers 'privacy 
requirement. Although LAB protocol can effectively meet the 
conditional privacy requirement, it is inefficient and may meet 
a scalability bottleneck. The reason is that a sufficient numbers 
of certificates must be issued to each vehicle to maintain 
anonymity over a significant period of time. As a result, the 
certificate database to be searched by the TA in order to match 
a compromised certificate to its owner's identity is huge. In 
addition, the protocols of [4] are extended for providing confi- 
dentiality in specific scenarios of VANET implementations in 
[19]. Subsequently, Lin et al. [9] developed the 'time-efficient 
and secure vehicular communication' scheme (TSVC) based 
on the TESLA (Timed Efficient Stream Loss-tolerant Authen- 
tication)standard (RFC 4082) [23]. With TSVC, a vehicle first 
broadcasts a commitment of hash chain to its neighbors and 
then uses the elements of the hash chain to generate a message 
authentication code (MAC) with which other neighbors can 
authenticate this vehicles' following messages. Because of the 
fast speed of MAC verification, the computation overhead of 
TSVC is reduced significantly. However, TSVC also requires 
a huge set of anonymous public/private key pairs as well as 
their corresponding public key certificates to be preloaded in 
each vehicle. Furthermore, TSVC may not be robust when 
the traffic becomes extremely dynamic as a vehicle should 
broadcast its key chain commitment much more frequently. 



Lin et al. [6], [7] proposed the GSB protocol, based on the 
group signature [24]. With GSB, each vehicle stores only a 
private key and a group public key. Messages are signed using 
the group signature scheme without revealing any identity 
information to the public. Thus privacy is preserved while the 
trusted authority is able to track the identity of the sender. 
However, the time for safety message verification grows 
linearly with the number of revoked vehicles in the revocation 
list in the entire network. Hence, each vehicle has to spend 
additional time on safety message verification. Furthermore, 
when the number of revoked vehicles in the revocation list is 
larger than some threshold, the protocol requires every remain- 
ing vehicle to calculate a new private key and group public key 
based on the exhaustive list of revoked vehicles whenever a 
vehicle is revoked. Lin et al. [6], [7]do not explore solutions to 
effectively updated the system parameters for the participating 
to vehicles in a timely, reliable and scalable fashion. This issue 
is not explored and represents an important obstacle to the 
success of this scheme. To address the scalability concern, 
Xiong et al. [8] proposed a spontaneous protocol based on 
the revocable ring signature [25], which allows the vehicle to 
generate the message without requiring online assistance from 
the RSUs or the other vehicles. In this solution, the remaining 
vehicles are not required to update their system parameters 
regardless of the number of revoked vehicles. However, this 
protocol suffers larger communication overhead than that of 
other protocols because the length of ring signature depends 
on the size of the ring. 

Recently, Zhang et al. [10], [11] proposed a novel RSU- 
aided message authentication scheme (RSUB), which makes 
the RSUs responsible for verifying the authenticity of mes- 
sages sent from vehicles and for notifying the results back 
to vehicles. Compared to the solutions previously mentioned, 
this scheme enables lower computation and communication 
overheads for each vehicle. Independently, Lu et al. [12] 
introduced an efficient conditional privacy preservation pro- 
tocol for VANETs based on generating on-the-fly short-lived 
anonymous keys for the communication between vehicles and 
RSUs. These keys enable fast anonymous authentication and 
conditional privacy. Furthermore, Wasef et al. [18] proposed 
a RSUs-aided Distributed Certificate Service (DCS) scheme 
along with a hierarchical authority architecture. In this way, 
vehicles can update theirs pseudonymous certificate sets from 
the RSUs. However, all of the above solutions fall into 
the posteriori countermeasures, which can only exclude the 
rational attackers by punishing the malicious users after the 
attack. 

To reduce the damage to a bare minimum, the priori 
countermeasures have been proposed to prevent the gener- 
ation of fake messages. In this approach, a message is not 
considered valid unless it has been endorsed by a number of 
vehicles above a certain threshold. Most recently, Kounga et 
al. [16] proposed a solution that permits vehicles to verify the 
reliability of information received from anonymous origins. 
In this solution, each vehicle can generate the public/private 
key pairs by itself. However, the assumption in this solution 



is very restricted in that additional hardware is needed on 
the OBU. After that, a proposal is also presented following 
the priori protection paradigm based on threshold signature 
by Daza et al. [15]. Nevertheless, to obtain the anonymity, 
this protocol assumes that the OBU installed on the vehicle 
can be removable and multi OBUs could alternatively be 
used with the same vehicle (like several cards can be used 
within a cell phone in the same time). Thus, this assumption 
may enable malicious adversary to mount the so-called Sybil 
attack: vehicles using different anonymous key pairs from 
corresponding OBUs can sign multiple messages to pretend 
that these messages were sent by different vehicles. Since 
multi OBUs can be installed on the same vehicle, no one can 
find out whether all of these signatures come from the same 
vehicle or not. After that, Wu et al. [17] proposed a novel 
protocol based on linkable group signature, which is equipped 
with both priori and posteriori countermeasures. However, 
they face the same adverse conditions in GSB protocol in 
which the verification time grows linearly with the number of 
revoked vehicles and every remaining vehicle need to update 
its private key and group public key when the number of 
revoked vehicles is larger than some threshold. 

III. Preliminaries 

A. Objectives 

To avoid reinventing the wheel, we refer the readers to other 
works [3], [6], [17] for a full discussion of the attacker model. 
In the context of this work, we focus on the following security 
objectives. 

1) Efficient anonymous authentication of safety messages: 
The proposed scheme should provide an efficient and 
anonymous message authentication mechanism. First, all 
accepted messages should be delivered unaltered, and 
the origin of the messages should be authenticated to 
guard against impersonation attacks. Meanwhile, from 
the perspective of vehicle owners, it may not be accept- 
able to leak personal information, including identity and 
location, while authenticating messages. Therefore, pro- 
viding a secure yet anonymous message authentication is 
critical to the applicability of VANETs. Furthermore, the 
proposed scheme should have low overheads for safety 
message verification and storage at OBUs. 

2) Efficient tracking of the source of a disputed safety 
message: An important and challenging issue in these 
conditions is enabling the TA to retrieve a vehicle's real 
identity from its pseudo identity. If this feature is not 
provided, anonymous authentication can only prevent 
an outside attack, but cannot deal with an inside one. 
Furthermore, the system should not only provide safety 
message traceability to prevent inside attacks, but also 
have reasonable overheads for the revealing the identity 
of a message sender. 

3) Threshold authentication: A message is viewed as trust- 
worthy only after it has been endorsed by at least n vehi- 
cles, where n is a threshold. The threshold mechanism is 



a priori countermeasure that improves the confidence of 
other vehicles in a message. In addition, the threshold 
in the proposed scheme should be adaptive, that is to 
say, the sender can dynamically change the threshold 
according to the traffic context and scenarios. 

B. Bilinear Maps 

Since bilinear maps [26] are the basis of our proposed 
scheme, we briefly introduce them here. 

Multiplicative cyclic groups (G, Gt) of prime order q are 
called bilinear map groups if there is an efficiently computable 
mapping e:GxG-> Gt with the following properties: 

1) Bilinearity: For all g, h G G, and a, b e Z, e{g a , h b ) = 
e( 9l h) ab . 

2) Non-degeneracy: e(g, h) ^ 1jj t whenever g, h ^ 1q. 

Such an admissible bilinear map e can be constructed by 
the modified Weil or Tate pairing on elliptic curves. For 
example, the Tate pairing on MNT curves [27] gives the 
efficient implementation, and the representations of G can be 
expressed in 161 bits when the order q is a 160-bit prime. 
By this construction, the discrete logarithm problem in G can 
reach 80-bit security level. 

C. Proxy Re-Signature 

Proxy re-signature schemes, introduced by Blaze, Bleumer, 
and Strauss [28], and formalized later by Ateniese and Ho- 
henberger [29], allow a semi-trusted proxy to transform a 
delegatees signature into a delegators signature on the same 
message by using some additional information. Proxy re- 
signature can be used to implement anonymizable signatures 
in which outgoing messages are first signed by specific users. 
Before releasing them to the outside world, a proxy translates 
signatures into ones that verify under a system's public key 
so as to conceal the original issuer's identity and the internal 
structure of the organization. Recently, Libert et al. [22] have 
introduced the first multi-hop unidirectional proxy re-signature 
scheme wherein the proxy can only translate signatures in one 
direction and messages can be resigned a polynomial number 
of times. We use this scheme as the basis for our efficient and 
trustworthy conditional privacy-preservation protocol. 

IV. Efficient and Trustworthy Vehicular 
Communications Scheme 

This section describes in detail our efficient and trustworthy 
privacy-preserving protocol for VANET. TA, the delegator, 
will designate the RSUs translating signatures computed from 
OBUs, the delegatee, into one that is valid w.r.t. TA's public 
key by storing the re-signature key at the RSUs. Upon re- 
ceiving OBU's signatures, the RSUs can validate them and 
re-sign the message using the re-signature key. This message 
can be anonymously authenticated by any vehicle participating 
in the system by verifying this signature (the only information 
needed for verification is the TA's public keys). By this way, 
proxy re-signatures can be used to conceal identities of the 
OBU. Furthermore, RSUs could log which OBU signed the 



message for solving the dispute, but keep that information 
confidential to the public. 

The notation used throughout this paper is listed in Table 
I. The proposed security protocol is an extension of proxy 
re-signature scheme [22] in order to support conditional 
anonymity authentication with trustworthy. Specifically, the 
proposed security protocol contains four phases, which are 
described in the following paragraphs. 

TABLE I 
Notations 



TABLE II 
Message Format for OBU 



Notations 


Descriptions 


TA: 


Trusted Authority 


Vi-. 


The ith vehicle 


RSUf 


an RSU works at location Lj 


G, Gx 1 ■ 


two cyclic groups of same order q 


9- 


The generator of G 


RIDi : 


The real identity of the vehicle Vi 


ID, : 


The pseudo-identity of the vehicle V{ 


M : 


A message sent by the vehicle Vi 


Xi . 


The private key of the vehicle V{ 




The corresponding public key of the vehicle Vi 


XRSUj ■ 


The private key of the RSU RSUj 


X-RSUj = 9 3 ■ 


The corresponding public key of the RSU RSUj 


XTA- 


The private key of the TA 


X TA =g*TA : 


The corresponding public key of the TA 


Wi(-): 


A hash function such as"Hi:{0,l}*— > Z* 


«2(-) : 


A hash function such as Hi ■ {0, 1}* — > & 


Enc K () : 


A secure symmetric encryption algorithm with 




secret key k 


a || b 


String concatenation of a and b 



A. System Initialization 

Firstly, as described in section II- A, we assume each vehicle 
is equipped with a tamper-proof device, which is secure 
against any compromise attempts in any circumstance. With 
the tamper-proof device on vehicles, an adversary cannot ex- 
tract any data stored in the device including key material, data, 
and codes [3]. We assume that there is a Trusted Authority 
(TA) which is in charge of registering the RSUs and the OBUs 
installed on the vehicles. Prior to the network deployment, the 
TA sets up the system parameters for each OBU and RSU as 
follows: 

• Let G, Gt be two cyclic groups of same order q. Let 
e:GxG-> Gt be a bilinear map. 

• The TA first randomly chooses xta ^R^* q as its private 
key, and computes Xta = g XTA as its public key. The 
TA also chooses two secure cryptographic hash functions 
Hi : {0, 1}* -> Z* and U 2 : {0, 1}* -> G, and a secure 
symmetric encryption algorithm Enc K () with secret key 

K. 

• The TA generates public/private key pair for each subor- 
dinated RSUj works at location Lj as follows: 

- The TA randomly selects an integer xrsu, &r Z* 
and computes X^sijj — g XRSUj ■ 

- The TA sends the public/private key pair to RSUj 
through a secure channel. 

• Each vehicle Vi with real identity RIDi generates its 
public/private key pair as follows: 



Message ID 


Payload 


Timestamp 


RSUj 's Public Key 


Signature 


2 


100 bytes 


4 bytes 


20 bytes 


20 bytes 



- The vehicle Vi first chooses Xi G_r Z* as its private 
key, and computes Xi = g Xi as its public key. 

- Vi randomly selects an integer tj G_r Z* to determine 
the verification information of Xf. a% = Hi(g ti \\ 
RIDi) and &; = (t* + • a*). Then Vi sends 
{Xi,RIDi,ai,bi} to TA. 

- After receiving {Xi, RIDi, &i, &»}> TA checks 
whether the following equation holds: 

ai ^if^Ip) || RIDi) 

If it holds, then {X i} RIDi} is identified as the 
valid public key and identity. Otherwise, it will be 
rejected. After that, the TA stores the (Xi, RIDi) in 
its records. 

- In the end, TA generates the re-signature key Ri — 



X 



I/XTA 



which allows turning signatures 
from vehicle Vi into signatures from TA, and sends 
the item (Ri,Xi) to all RSUs through a secure 
channel. 

• Each vehicle is preloaded with the public parameters 
{G, Gt, q, Xta, H, Enc K ()}. In addition, the tamper- 
proof device of each vehicle is preloaded with its pri- 
vate/public key pairs (xi,Xi) and corresponding anony- 
mous certificates (these certificates are generated by tak- 
ing the vehicle's pseudo-identity IDi). 

B. OBU Safety Message Generation 

The format of the safety messages sent by the OBU is 
defined in Table II, which consists of five fields: message 
ID, payload, timestamp, RSUj's public key and signature. 
The message ID defines the message type, and the payload 
field may include the information on the vehicle's position, 
direction, speed, traffic events, event time, and so on. Accord- 
ing to [31], the payload of a safety message is 100 bytes. A 
timestamp is used to prevent the message replay attack. The 
next field is RSUj, the public key of RSU which will translate 
signature computed from OBU. The first four fields are signed 
by the vehicle, by which the "signature" field can be derived. 
Table II specifies the suggested length for each field. 

To endorse a message M, vehicle Vi generates a signature 
on the message, and then encrypts and sends it to RSUj. After 
receiving n or more valid signatures from the vehicles, RSUj 
re-sign the message with the corresponding re-signature key 
and broadcast the trustworthy signature. Fig. 2 shows the OBU 
safety message generation, and the detailed protocol steps are 
described as follows. 

1) RSUj broadcasts its public key Xnsu, periodically, 
e.g., every 5 sec; 

2) Vi computes signature o-W = H2(M) Xi G G on mes- 
sage M, where Xi is V^'s secret key and M is formatted 



OBU (ID,, RID,) RSU (ID,) at location I 

1) broadcast X RSU periodically 



2) format 

M = UDr m ,\\ Payload \ \ Timestamp 1 1 X KL , ] 
a"' =H 2 {Mf 

Enc t (M,a m ,X,) 

\y/,Enc^M,a"\X, )) 

3) ~~f=y, x »"i =g""°l 

decTyptEnc^M,a"\X i ) 
check the validity of 
Timestamp andX RSU 
check whether 
e(d\g)=e{H 2 (M),X) 

o* 2) =(o> n ' ,X,K) 
broadcast (M,a {2> ) 

(M,cr (2) ) 



Fig. 2. OBU Safety Message Generation 

as [IDxype || Payload \\ Timestamp \\ XrsuA- Then, 
Vi randomly chooses r G r Z* and computes the shared 
secret key <f) = X r RSU . and the hint i[> = g r . After that, 
V sends the (tp, Enc^M, Xi)) to RSUf, 

3) RSUj computes the shared secret key </>' = tp XRSU i = 
gT-XRsuj t0 (jgcj-ypj; ^ received message, and then looks 
up the newly updated revocation list from TA to check 
the validity of the public key X t . After that, RSUj 
checks whether the signature is valid as follows: 
e(cr«, 5 ) = e(Xi,H 2 (M)). Then RSUj checks the 
validity of the RSU's public key and the freshness of 
timestamp embedded in the message. 

4) After receiving n or more valid signatures from the 
vehicles on the same message M, RSUj search (Ri, Xi) 
according to [M, o - ' 1 ' , Xi) from its database. Then 
RSUj chooses randomly s Z* and computes 

^(a ,a u a 2 ) = , X? , Of) 

= (H 2 (M) x * s ,X°,g sx >/ XTA ) 

where Ri have been preloaded along with Xi in the 
RSUj during the initialization phase. Then RSUj stores 
the trace evidence table with item (M,Xi) in its local 
database. In the end, TA broadcast the trustworthy 
signature (M, cr' 2 )) to all vehicles among its coverage 
range. 

Note that the threshold n can adaptively be changed 
according to the type of message and various scenar- 
ios. For instance, if the message is an alert about an 
emergency braking by the vehicle ahead, the threshold 
can be set as low as 1. However, if the message is 
an announcement that will affect many vehicles, the 
threshold can be set to be appropriately high to improve 



the trustworthiness by also taking into account the vehi- 
cle density among the RSU's communication range. By 
this way, the signature is turned into a trustworthy 
signature under TA's public key. 

C. Message Verification 

Once a trustworthy message is received, the receiving 

vehicle performs signature verification by checking whether 

the following conditions are true: 

i(a Q ,g) = e(W 2 (M),cri) e(<7i,g) = e(a 2 ,X TA ) 

This verification provides vehicles with the assurance that 

such a signature can only have been computed if at least n 

vehicles have endorsed M. 

D. OBU fast tracing 

If a vehicle produced a signature on the message M and this 
message was found to be fraudulent, a membership tracing 
operation is started to determine the real identity of the 
signature originator. In detail, the TA first position the RSU 
by extracting the RSU's public key X^sUj from the message 
[IDxype || Payload \\ Timestamp \\ X^sUj]- According to 
the TA's demand, the RSUj then retrieves the public key of 
the source of the disputed safety message M by searching 
his trace evidence table with item (M, Xi) and returns Xj to 
the TA, and then the TA recovers the real identity from the 
returned public key. 

V. Security Analysis 

We analyze the security of the proposed scheme in terms 
of the following four aspects: message authentication, user 
identity privacy preservation, traceability by the TA, and 
threshold authentication. 

• Message authentication. Message authentication is the 
basic security requirement in vehicular communications. 
In the proposed scheme, the signature w.r.t public 
key X.- L can only be generated by the vehicle Vi, who 
holds the corresponding private key Xi. Without knowing 
the discrete logarithms of the public keys Xi, it is 
infeasible to forge a valid signature If a signature 
er^ 1 ) w.r.t public key Xi passes the verification procedure, 
it must be an intact fresh message generated by Vi. This 
implies that the attacker cannot cheat RSU by forging a 
new valid message, modifying an existing valid message, 
or replaying a once valid but now expired message. 
Meanwhile, the signature can only be translated 
by the RSU from erW by using the corresponding re- 
signature key Ri. Furthermore, the RSU cannot generate 
the valid signature on behalf of V. using Ri. Thus, 
the adversary cannot forge the valid signature er^ 2 ' even 
when it only knows the corresponding re-signature key 
Ri- 

• Threshold authentication. If a vehicle V] tends to cheat 
RSU by endorsing the same message more than once, 
then the RSU can easily link the multi signatures by 
comparing the public key Xi along with the message. 
This kind of message can be either simply discarded or 



sent to the TA to trace the cheating vehicle. Hence, the 
Sybil attack can be avoided in our privacy-preserving 
scheme. 

• Identity privacy preservation. The message M and the 
signature with respect to public key Xj is only 
explored to RSUj and Vi since the communication be- 
tween Vi and RSUj is confidential. Finding the shared 
secret key <f> from ip and X R su is an instance of the 
CDH problem: given g, ip = g r , X RSU] = g XRSU i , 
find <f> = g r - XRSU j . Thus, only the RSUj can link the 
(Xi, a^) to the corresponding message M. Given a valid 
signature of some message, it is computationally 
difficult to identify the actual sending vehicle by any 
vehicles in the system since the only information needed 
to verify the correctness of signature is TA's public 
key X TA . 

• Traceability . Given the disputed signature, only the cor- 
poration between TA and the RSUj, can trace the real 
identity of a message sender using the OBU tracking 
procedure described in section IV-D. Besides, the tracing 
process carried by the TA does not require any interaction 
with the message generator. Instead, the signature itself 
provides the authorship information to TA. Therefore, 
once a signature is in dispute, the TA has the ability to 
trace the disputed message, in which the traceability can 
be well satisfied. 

VI. Performance Evaluation 

This section evaluates the performance of the proposed 
scheme in terms of storage requirements, and computational 
and communication overheads. 

A. OBU Storage Overheads 

This subsection compares the OBU storage overhead of our 
protocol, which we dub PRSB, with three previously proposed 
protocols: LAB [3], [4], [9], RSUB [12] and GSB [6], [8], 
[17]. In the LAB protocol, each OBU stores not only its own 
N key anonymous key pairs, but also all the anonymous public 
keys and their certificates in the revocation list (the notations 
adopted in the description are listed in Table III). Let each 
key (with its certificate) occupy one storage unit. If there 
are m OBUs revoked, then the scale of revoked anonymous 
public keys is m ■ N k ey - Thus, the total storage overhead in 
LAB protocol (denoted as Slab) is Slab = {m + l)N k ey - 
Assuming that N key = 10 4 , we have Slab = (m + l)10 4 . In 
the GSB protocol, each OBU stores one private key issued by 
the trusted party, and m revoked public keys in the revocation 
list. Let Sqsb denotes the total storage unit of GSB protocol. 
Thus, Sgsb = m+1. Both in the RSUB protocol [12] and our 
protocol, each OBU stores one public/private key pair issued 
by the trusted party, and its anonymous certificate issued by 
the RSU. Since the OBU does not need to store the revocation 
list, the storage overhead in RSUB protocol is only two units, 
denoted as S RS ub = S PRS b = 2. 

Fig. 3 shows the storage units of LAB protocol, GSB proto- 
col, RSUB protocol and our protocol as m increases. Observe 



TABLE III 
Notations and rough scale 





Descriptions 


Scale 


Nobu 


The number of OBUs in the system 


10' 


N okey 


The number of anonymous keys owned by one OBU 


10 4 


N rsu 


The number of RSUs in the system 


10 4 


Nrkey 


The number of anonymous keys processed by one RSU 


10 4 
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Fig. 3. OBU storage overhead for the protocols compared as a function of 
the number of revoked OBUs 



that the OBU storage overhead in LAB protocol linearly 
increases with m, and is much larger than that in the other 
three protocols. The storage overhead of GSB protocol is still 
small in spite of its linear increase with m, while the storage 
overhead in the RSUB and our protocol is the most efficient, 
which does not increase with m. 

B. OBU Communication Overhead 

This section compares the communication overheads of the 
protocols studied. We assume that all protocols generate a 
timestamp to prevent replay attacks so we exclude the length 
of the timestamp in this analysis. 

For the LAB protocol, each message generates yields 181 
bytes as the additional overhead due to cryptographic opera- 
tions, which includes a certificate and an Elliptic Curve Digital 
Signature Algorithm (ECDSA) signature 1 . For the GSBi [6], 
GSB 2 [8] and GSB 3 [17] protocol , each message generates 
197, 60?i + 60 and 133 bytes as the additional overhead 
respectively, where n represents the number of the public 
key pairs used to generate the ring signature in [8]. For the 
RSUB protocols, the additional communication overhead is 
70 /k + 40 + 147 bytes, where the first term represents the 
communication overhead caused by generating the short-term 
anonymous key, the second term represents the length of the 

'ECDSA signature scheme of IEEE1609.2 [30] is the current standard for 
VANETs, where the length of a signature is 42 B. 
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Fig. 4. Communication overhead versus traffic load. 



signature sent by the vehicle and the last term is the length of 
the short time anonymous key and its corresponding certificate 
which are reused across k messages (as the RSUB protocol re- 
generates the anonymous key only every k messages). For the 
proposed protocols, the additional communication overhead is 
2 + 20 + 20 + 20 + 20 bytes, where the first term represents 
the communication overhead caused by the message ID, the 
second term represents the length of the RSUj's public key, 
the third term represents the length of the signature sent by 
the vehicle, the fourth term represents the vehicle's public key 
and the last term is the length of the hint (as shown in Table 
II). 

Fig. 4 shows the relationship between the overall communi- 
cation overhead in 1 min and the traffic load within a vehicle. 
Obviously, as the number of messages increases, the trans- 
mission overhead increases linearly. Clearly, we can observe 
that the proposed protocol has much lower communication 
overhead than the other protocols. 

TABLE IV 

Comparison of communication overhead of three protocols 



Protocol 


Send a single message 


Send k messages 


LAB 


181 bytes 


181fc bytes 


GSBi 


197 bytes 


197fc bytes 


GSB 2 


60n + 60 bytes 


(60n + 60) k bytes 


GSB 3 


133 bytes 


133fe bytes 


RSUB 


70/fc + 187 bytes 


70 + 187fc bytes 


PRSB 


82 bytes 


82fc bytes 



C. OBU Computation Overhead 

This subsection compares the OBU computation overhead 
for the proposed, RSUB and GSB protocols. Since the point 
multiplication in G and pairing computations dominates each 
party's computation overhead, we consider only these opera- 
tions in the following estimation. Table V gives the measured 



processing time (in milliseconds) for an MNT curve of em- 
bedding degree k = 6 and 160-bit q. The implementation was 
executed on an Intel pentium IV 3.0 GHz machine. 

TABLE V 

Notations and estimated execution time for cryptographic 
operations 





Descriptions 




Execution Time 




Time for one 


point multiplication in G 


0.6 ms 


T 

pair 


Time for one 


pairing operation 


4.5 ms 



In our proposed protocol, verifying a message, requires 
ATp a i r as shown in section IV-C. Let Tprsb be the required 
time cost in our protocol, then we have: 



T, 



PRSB 



4T„, 



4 x 4.5 = m(ms) 



In the RSUB protocol, to verify a message, it requires 
3T pa ir + HT pmu i. Let Trsub be the required time cost in 
RSUB's protocol, then we have: 



RSUB 



= 3T, 



pair 



11T, 



pjnul 



3x4.5 + 11 x 0.6= 20.1(ms) 



In the GSB protocol [6], the time cost to verify a message 
is related to the number of revoked OBUs in the revocation 
list. Thus the required time is demonstrated as follows: 



T, 



GSBi 



Let 



6T pmu i + (A+m)T pair = 6x0.6+(4+m)x4.5(ms) 



T, 



PG 



T, 



RG 



TpRSB 

Tgsb 

Trsub 
Tgsb 



4 x 4.5 



3.6 + (4 + m) x 4.5 
3 x 4.5+ 11 x 0.6 



3.6 



(4 + m) x 4.5 

be the cost ratio between the PRSB and the GSB protocol, and 
between the RSUB and the GSB protocol, respectively. Fig. 5 
plots the time cost ratio Tpc and Trg when m OBUs are re- 
voked, as m ranges from 1 to 100. We observe that both of the 
time cost ratios decreases as m increases, which demonstrates 
the much better efficiency of our proposed protocol and RSUB 
protocol than the GSB protocol especially when the revocation 
list is large. We also observe that our proposed protocol is a 
little more efficient than RSUB protocol. 

VII. Summary 

We have presented an efficient conditional privacy pre- 
serving protocol with trustworthy based on the proxy re- 
signature and aimed for secure vehicular communications. 
We demonstrate that proposed protocol is not only provides 
conditional privacy, a critical requirement in VANETs, but also 
able to improve the confidence of message receiver. By this 
way, our protocol achieves both priori and posteriori coun- 
termeasures simultaneously. Through extensive performance 
evaluation, we have demonstrated that the proposed protocol 
can achieve much better efficiency than previously reported 
counterparts in terms of the number of keys stored at each 
vehicle, communication overhead and, message verification. 
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Fig. 5. Time efficiency ratio Tr<_ — Trrsb /Tgsb when varying the 
number of revoked OBUs, m, from 1 to 100. 
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